×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE

Unanswered Question
Mar 7th, 2012
User Badges:
  • Silver, 250 points or more

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE


I have a scenario where 2 LAN segments are separated by a router, Admin and Students. There is a DNS server and an EMAIL server on the admin segment. Students should be able to access DNS and EMAIL services (smtp, pop3 and dns). No access to any other traffic. Admin should have full access to the student LAN segment. I managed to implement all the filtering with extended ACLS placed on the router as follows:


access-list 105 permit tcp any any eq smtp

access-list 105 permit tcp any any eq pop3

access-list 105 permit tcp any any eq www

access-list 105 permit udp any host 10.20.0.2 eq 53

access-list 105 deny ip any any


int e1/1

ip access-group 105 in


But for some reason it does not allow any access from the admin segment to the students segment.


EMAIL AND DNS ARE WORKING FINE FROM THE STUDENTS SEGMENT AND PINGS FAIL AS EXPECTED AFTER THE COMMANDS MENTIONED WERE ISSUED.


ADMIN SHOULD BE ABLE TO PING STUDENTS SEGMENTS


AFTER ATTEMPTING MANY TIMES AND DIFFERENT CONFIG I TRIED THE FOLLOWING:


access-list 106 permit ip any any


int e1/0

ip access-group 106 in


I also tried


int e1/1

ip access-group 106 in



BUT ADMIN STILL HAS NO ACCESS TO THE STUDENTS SEGMENTS!!!!!!


WHY NOT?

FEW FELLOWS TRIED IT OUT AS WELL IN PACKET TRACER WITH NO SUCCESSFUL RESULTS...

:S


I WOULD REALLY APPRECIATE SOME HELP ASAP!


THANK YOU IN ADVANCE,


MIGUEL


---

Posted by WebUser Miguel Pcn

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Dan-Ciprian Cicioiu Thu, 03/08/2012 - 03:48
User Badges:
  • Gold, 750 points or more

Hi Miguel ,



You issue is the returning packet for the session initiated by the Admin - caused by deny ip any any on access-list 105

For the "ping" from admin to student to work add :


   access-list 105 permit any any echo-reply


What kind of access is need it from Admin to Student ?


Dan

Actions

This Discussion